When I first skim-read a recent insurer announcement regarding a new cyber coverage they were bringing to market, I skeptically and, as it turned out, incorrectly, interpreted the cover as being akin to that of an existing (and fairly standard) cyber coverage. I was wrong, and upon re-reading the release with less haste, it was obvious why.
Put simply, what this new offering covers is a business’s lost income (Business Interruption) that results from one of its clients experiencing a cyber event and which impacts their ability or need to continue buying your products or engaging your services.
This should not be confused with ‘Non-IT Contingent Business Interruption’ (CBI) which deals with a business’s lost income following a cyber event that impacts one of its non-technology related service providers / vendors.
On first glance, this has the characteristics of a sort of ‘Trade Credit for Cyber’ insurance. But it is not — rather than insuring bad debts and accounts receivable (Trade Credit), this covers the potential future lost earnings that are the result of one of the business’s key clients being severely impacted by a cyber event, to the extent that it impacts their purchasing behaviour (by reducing, suspending, or cancelling orders or contracts that they have with your business).
In practical terms, while 'Non-IT CBI' protects the business supply chain from cyber related vendor disruption, this 'Customer BI' insurance protects, let's call it, the "demand chain".
i) How dependant on one (or a small handful of) clients/customers is our business?
ii) Is this a risk that we are comfortable self-insuring on our balance sheet? If not, should we consider transferring all or part of the risk via insurance?
iii) What period of indemnity is appropriate for our Business, i.e. how long would it take to replace the income previously earned from the impacted client/customer?
While still in its infancy, this cover is:
